Archive

As a malware analyst, I find new pieces of malware day in and day out. In fact, I see so many new malware samples that it’s difficult for me to determine which pieces would be really interesting for the public. Today, however, I found something that immediately caught my attention and that I thought would be interesting to share.

The three URLs listed above are websites that offer mobile monetizing kits, which are advertising kits that developers can implement in their mobile apps. The goal for developers is to monetize from advertisements. If a user clicks on one of the ads delivered by one of the above listed providers, he may be lead to a malicious subdomain.

The most visited of the three URLs is Espabit. According to our statistics, we know that Espabit’s servers get around 150,000 views a day and nearly 100% of the views are from mobile devices. This may not seem like that much compared to the number of Android users there are in the world, but it is still a considerable number. Espabit is trying to position themselves as a world leader in advertising, and their website may appear innocent, but first impressions can be deceiving.

The most visited Espabit subdomain, with more than 400,000 views during the last few months, leads app users to pornographic sites via the ads displayed in their apps. The site displays a download offer for nasty apps (no pun intended) that have malicious behavior.

The above is just one example of the malicious links; there are many others hosted on the same server. The majority of the links lead to pornography or fake apps that all have one thing in common: They all steal money from innocent users.

How do they convince people to download their app? By posing as official Google Play apps. The apps are designed to look like they are from the official Google Play Store – tricking people into trusting the source. Since Android does not allow users to install apps from untrusted sources, the sites offer manuals in different languages, like English, Spanish, German, and French, explaining how to adjust Android’s settings so that users can install apps from untrusted sources, like these malicious apps. How considerate of them.

Now let’s take a deeper look at what the apps are capable of doing:

All of the “different” apps being offered by the three sites listed above are essentially the same in that they can steal personal information and send premium SMS. So far, we know about more than 40 of them stored on the websites’ servers. Most of the apps are stored under different links and, again, are offered in different languages (they want everyone to be able to “enjoy” their apps). The goal behind all of the apps is always the same: Steal money.

Some of the permissions the apps are granted when downloaded…

Once you open the apps, you get asked if you are 18 or older (they are not only considerate in that they offer their product in various languages, but they also have morals!).

After you click on “YES” you are asked to connect your device to the Internet. Once connected to the Internet your device automatically starts sending premium SMS, each costing $0.25 and sent three times a week. That’s all the app does! The amount stolen a week does not seem like much, but that may be done on purpose. People may not notice if their phone bill is $3.00 more than it was the month before and if they don’t realize that the app is stealing money from them and don’t delete the app it can cost them $36.00 a year.

This malware is actually not unique in terms of the technique it uses. However, collectively, the three websites have around 185,000 views daily, which is a lot considering there is malware stored on their servers. Not everyone is redirected to malware, but those who are, are being scammed. Considering that the most visited malicious subdomain had around 400,000 views in the last quarter, it tells us that a large number of those visitors were infected. This means these ad providers are making a nice sum of money and it’s not all from ad clicks and views.

Although many mobile carriers around the world block premium SMS, including major carriers in the U.S., Brazil, and the UK, this case should not be taken lightly. These malware authors use social engineering to circumvent Google’s security and target innocent app users via ads. Think of how many apps you use that display ads, then think of all the valuable information you have stored on your phone that could be abused.

All malicious apps we found and described here are detected by Avast as:

Android:Erop-AG [Trj]
Android:Erop-AJ [Trj]|
Android:Erop-AS [Trj]

Some of SHA256:
DBEA83D04B6151A634B93289150CA1611D11F142EA3C17451454B25086EE0AEF
87AC7645F41744B722CEFC204A6473FD68756D8B2731A4BF82EBAED03BCF3C9B

Most people want to stay on top of their bills, and not pay them late. But recently, unexpected emails claiming an overdue invoice have been showing up in people’s inboxes, causing anxiety and ultimately a malware attack. Read this report from the Avast Virus Lab, so as a consumer you’ll know what to look for, and as a systems administrator for an SMB or other website, you will know how cybercrooks can use your site for this type of social engineering scam.

Recently we saw an email campaign which attempted to convince people to pay an overdue invoice, as you can see on the following image. The user is asked to download an invoice from the attached link.

The downloaded file pretends to be a regular PDF file, however the filename “Total outstanding invoice pdf.com” is very suspicious.

When the user executes the malicious file, after a few unpacking procedures, it downloads the final vicious payload. The Avast Virus Lab has identified this payload as Pony Stealer, a well-known data-stealing Trojan which is responsible for stealing $220,000, as you can read here.

We followed the payload URL and discovered that it was downloaded from a hacked website. The interesting part is that we found a backdoor on that site allowing the attacker to take control of the entire website. As you can see, the attacker could create a new file and write any data to that file on the hacked website, for example, a malicious php script.

Because that website was unsecured, cybercrooks used it to place several Pony Stealer administration panels on it, including the original installation package, and some other malware samples as well. You can see an example of Pony Stealer panel’s help page written in the Russian language on the following picture.

Avast Virus Lab advises:

For Consumers: Use extreme caution if you see an email trying to convince you to pay money for non-ordered services. This use of “social engineering” is most likely fraudulent. Do not respond to these emails.

For SMBs: If you are a server administrator, please secure your server and follow the general security recommendations. As you learned from this article, you can be hacked and a backdoor can be put in your website allowing anyone to upload whatever he wants to your website. Protect yourself and your visitors!

SHA’s and detections:

4C893CA9FB2A6CB8555176B6F2D6FCF984832964CCBDD6E0765EA6167803461D

5C6B3F65C174B388110C6A32AAE5A4CE87BF6C06966411B2DB88D1E8A1EF056B

Avast detections: Win32:Agent-AUKT, Win32:VB-AIUM

Acknowledgement:

I would like to thank Jan Zíka for discovering this campaign.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Most people would not dream of neglecting the security of their PCs or laptop, but those same folks forget that the device in their pocket is just as powerful, if not more so. You’ve heard it before –your expensive smartphone, which stores personal data, private photos, Internet banking information and even company data, is an attractive target for cybercrooks and thieves.

AV Comparatives, an independent organization which tests antivirus products and mobile security solutions, released new testing results and gave avast! Mobile Security the highest “Approved Award” for Android security products.

avast! Mobile Security has a wide range of features with innovative functionality. We particularly liked the wide range of configuration options and remote commands, which provide the user with a comprehensive remote control function,” wrote the authors of the final report.

Mobile phones attacks are getting more and more sophisticated, and it is growing exponentially. “We now have more than 1 million malicious samples in our database, up from 100,000 in 2011,” said Avast’s CCO, Ondřej Vlček. “Mobile threats are increasing – we expect them to reach the same magnitude as PC malware by 2018.”

avast! Mobile Security scans all installed applications for malware and has various real-time protection shields which protect against

Malicious apps and phishing sites

Sites containing malware

Typo-squatting if an incorrect URL is entered

Incoming messages with phishing/malware URLs

Malicious behavior during read or write processes

Anti-theft protection

Avast! Anti-theft is a stand-alone app that can be installed separately from avast! Mobile Security. The app is hidden from view, and can be accessed remotely for functions such as lock, locate and wipe, redirection of calls, texts and call logs, etc.

In addition to the malware and anti-theft protection, AV Comparatives liked the standalone avast! Mobile Backup which enables personal data to be backed up to Google Drive.

The Backup, App Locker and Privacy Scan features, which were promised last year, have now been implemented and complete the program’s functionality. (avast! Mobile Security) is a very comprehensive security product with a wide range of configuration options.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

U.S. merchants advised to protect themselves against same PoS hack that hit Target and Neiman Marcus last year.

More than 1,000 U.S. businesses have had their systems infected by Backoff, a point-of-sale (PoS) malware that was linked to the remote-access attacks against Target, Michaels, and P.F. Chang’s last year and more recently, UPS and Dairy Queen. In the Target breach alone, 40 million credit and debit cards were stolen, along with 70 million records which included the name, address, email address, and phone number of Target shoppers.

The way these breaches occur is laid out in BACKOFF: New Point of Sale Malware, a new U.S. Department of Homeland Security (DHS) report. Investigations reveal that cybercrooks use readily available tools to identify businesses that use remote desktop applications which allow a user to connect to a computer from a remote location. The Target breach began with stolen login credentials from the air-conditioning repairman.

Once the business is identified, the hackers use brute force to break into the login feature of the remote desktop solution. After gaining access to administrator or privileged access accounts, the cybercrooks are then able to deploy the PoS malware and steal consumer payment data. If that’s not enough, most versions of Backoff have keylogging functionality and can also upload discovered data, update the malware, download/execute further malware, and uninstall the malware.

General steps SMBs and consumers can take to protect themselves

You should use a proper security solution, like avast! Endpoint Protection, to protect your network from hacking tools, malicious modules, and from hackers using exploits as a gateway to insert malware into your network.

Regularly monitor your bank and credit card statements to make sure all the transactions are legitimate.

The old ransomware business model is no longer enough for malware authors. New additions have made Reveton into something even more powerful.

The latest generation of Reveton, the infamous “police” lock screen/ransomware, targets new black market business. The authors upped the ante of the despised malware from a LockScreen-only version to a dangerously powerful password and credentials stealer by adding the last version of Pony Stealer. This addition affects more than 110 applications and turns your computer to a botnet client.

Reveton also steals passwords from 5 crypto currency wallets. The banking module targets 17 German banks and depends on geolocation. In all cases, Reveton contains a link to download an additional password stealer. The most common infection is via the well-known exploit kits, FiestaEK, NuclearEK, SweetOrangeEK, etc.

Pony stealer module

Reveton use one of the best password/credentials stealer on the malware scene today. Pony authors conduct deep reverse engineering work which results in almost every password decrypted to plain text form. The malware can crack or decrypt quite complex passwords stored in various forms.

Respected IT Security and Antivirus Research lab, AV-Test, put 23 antivirus products designed for the home user to the test for real-world malware blocking and detection of false positives in June. The testing scenario replicated the set-up of almost a quarter of AVAST’s 200 million users who still use Windows XP (SP3, 32-Bit, English). Just like your antivirus protection at home, the products were allowed to update themselves at any time and query their in-the-cloud services.

Avast! Free Antivirus scored 100% in protection against malware infections, such as viruses, worms or Trojan horses. AV-Test used widespread and prevalent malware discovered in the last 4 weeks, including malicious email attachements.

Avast! Free Antivirus had zero false positive detections, giving it a perfect score of 100%. False positives happen when your antivirus software erroneously identifies a file or a download as being malicious. The test included false warnings or blockages when visiting websites or when installing and using legitimate software.

Our customers are concerned about the impact antivirus protection has on their computer speed when visiting websites, downloading software, installing and running programs, and copying data. AV-Test measured the influence of each product in daily usage. On a scale with 5 being the lowest possible impact and 25 the highest impact, avast! Free Antivirus has minimal impact on system performance, scoring a very low 8.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

Ransomware, the terror of Windows that locks computers, encrypts the files, then demands a hefty payment to unlock them, has made its way to Android smartphones.

“The ransomware problem is growing like hell – and it’s no longer just threatening users – the new versions actually do encrypt your files,” said Ondrej Vlcek, Chief Operating Officer at AVAST Software.

AVAST Software just released a new app called avast! Ransomware Removal that will eliminate the malware from an infected device. Get it free for your Android smartphone and tablet from the Google Play Store.

avast! Ransomware Removal will tell you if your phone has ransomware on it. If you are infected, it will eliminate the malware. Android users who are clean, can use the free app to prevent an infection from happening.

This short video shows you what actually happens when ransomware infects your Android smartphone.

The next wave of attacks

Savvy malware writers know where the next round of victims can be found. With Android at a whopping 80% worldwide market share, as well as “billions” of remaining mobile subscribers ready to upgrade to smartphones, the targets are numerous.

After detecting the massive growth of ransomware on PCs, this spring AVAST Virus Lab researchers saw the malware migrating to the Android platform. Analysts identified fake government mobile malware, and early this month a new ransomware called SimplLocker proved to be successful. This proof-of-concept worked so well encrypting photos, videos, and documents stored on smartphones and tablets, that the Virus Lab immediately ordered a tool from our mobile development team to combat it - avast! Ransomware Removal.

“SimplLocker blocks access to files contained on mobile devices. Without our free ransomware-removal tool, infected users have to pay $21 to regain access to their personal files,” said Vlcek. “SimplLocker is the first ransomware that actually encrypts these files, so we developed a free tool for people to restore them.”

Find. Kill. Prevent.

Install avast! Ransomware Removal to find out if your Android devices are infected and to get rid of an infection. Anyone infected by SimplLocker, Cryptolocker, or any other type of ransomware can download the free avast! Ransomware Removal tool, and then install the app remotely on the infected device. Once installed, you can easily launch the app to scan the device, remove the virus, and then decrypt your hijacked files.

To keep your devices protected from Cryptolocker, SimplLocker, and other ransomware, make sure to also install avast! Free Mobile Security & Antivirus from the Google Play store. It can detect and remove the malware before it is deployed.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.

avast! GrimeFighter cleaned “Grime” away and gave an author his beloved laptop back.

Writers have their rituals and their favorite ways to write. For example, author Truman Capote always wrote while stretched out on his couch or bed with cigarettes and drinks (mint tea in the morning; martinis at night) within reach. Philip Pullman, author of The Golden Compass famously writes in a shed by hand, using a ballpoint pen on narrow lined A4 paper (with two holes, not four). Douglas Adams typed Hitchhiker’s Guide to the Galaxy on his old Hermes 8 typewriter.

So it wasn’t much of a surprise to hear from author Richard Skorupski about the decline of a trusty “old friend.” The surprise was how avast! GrimeFighter brought that friend out of retirement. Here’s the story Richard shared with us:

A story about an old friend

For a man I can compare it to a favorite tee shirt or faded work jeans. For a woman I can compare it to a favorite pair of comfortable shoes.

That’s right I love my old laptop. It has been with me and served me well through years of blogs, rants, surfing and (of course) the writing of my books. Both Flyover County and The Fred Weber Story were written entirely on that laptop. The two books together are more than a million words. Add that to the other things I have written over the years and there is no wonder why the letters are worn off the keys. It is like having a best friend at my fingertips. My fingers fell in just the right place.

Sure the case is scratched, the battery is shot and I’m on the second screen, but it was still my favorite writing tool. That is until it got too old. As time wore on the my old friend got slower and slower. I understood, this old XP machine was born nine years ago in 2005, that has to be at least one hundred thirty in computer years. It finally got to the point where I put it out to pasture. I kept it around for the files it remembered, and picture memories it held, but I didn’t ask it for hard work anymore.

Now the turn of events. I was with my wife at an Expo Vender show in Huron, South Dakota over the weekend. There was a guy there who sells repaired and refurbished used computers. I knew him because he sold me my replacement computer a few months back. I was talking to him about my old laptop and how it now took over forty five minutes to boot up. I told him I couldn’t play with my old friend anymore because it was simply too slow. He said he may be able to fix it, no guarantees, for a fifty dollar service fee.

That got me thinking. I have seen those commercials on television for speeding up older computers. I wasn’t sure about them enough to trust what they were telling me. I had another answer. I use Avast! Antivirus software on all my home computers. They have recently produced GrimeFighter. They told me that they could make my old friend run like new again. Since I had confidence in Avast! as a company, I bought their product.

I installed the software and (after a couple calls to a very helpful customer service) the thing was off and running. Grime Figher jumped in and started cleaning. The thing took two hours to clean up years of gunk. In the end the report told me I was good to go (other than a very old battery – something I already knew).

So here I am this morning, sharing quality time with my old friend. He is feeling much better, he is spry and chipper and faster than he has been in years. I’m looking forward to all the stories we will tell together in the months (and perhaps years) to come.

Thank you Avast! Now, if you could just find a rejuvenator for humans…

avast! GrimeFighter can help you bring your own “old friend” back from the dead. Read more about how GrimeFighter can speed up your old laptop. Scan your computer for free, then buy your own GrimeFighter license, and purge Grime from your PC.

It’s been a few days since Richard let the minions clean “Grime” from his old laptop and he says, “I haven’t touched the new computer since I ran Grime Fighter on this one.”

Android malware analyst Filip Chytrý will be speaking at the CARO Workshop 2014

The avast! Virus Lab professionals work together to stop malware from attacking your Android mobile phone.

Filip Chytrý, an analyst in the avast! Virus Lab will Declare war against Android Malware, together with his colleague, Peter Kalnai, at the 8th International CARO Workshop held in Melbourne, Florida this week. CARO (Computer Antivirus Research Organization) is a technical gathering of malware experts from around the world who share case studies of mobile attacks, do real life attack demonstrations, and present plans for the identification and investigation of coordinated mobile threats.

Along with his specialized knowledge in Android malware, Filip is a really fun guy. I asked him a few questions, so that you could meet one of the AVAST professionals directly responsible for keeping tens of millions of Android smartphone users safe from threats.

DEBORAH Thanks for taking time during your preparations for CARO to meet our users via the AVAST blog. Your job analyzing Android-targeted malware didn’t even exist when you were a little boy. What early experiences with technology influenced your career path?

Filip has worn cool shoes all his life

FILIP Define early. I’ve been addicted to PCs since childhood. I had my very first PC when I was 8 years old; some old piece of junk which was at that time probably older than I, but I still have remarkable memories of that time. So from that time on, I was influenced by technology. Even in my leisure activities, I concentrated on PCs. I went on to graduate from the School of Applications Cybernetics in Hradec Králové in Czech Republic.

DEBORAH Protecting people’s desktop computers is how AVAST started, and now we’ve added free mobile security to our product offerings. How do we teach people to keep their smartphones and tablets safe just like their computers?
FILIP Most people still do not realize that their smartphones actually have more computing power and abilities than the computer they had in their homes five-ten years ago. The capabilities of their devices are incredible. Data in portable devices may say more about you than data from your PC. You have location data there, pictures, social media information and so on. Read more…

Ransomware, which has already made its rounds on Windows, is now increasingly targeting the Android operating system. A new piece of mobile malware claiming to be the government under the name Android: Koler-A is now targeting users.

We have full control of your phone – give us $300 and we’ll give it back

The ransomware is pushed automatically from fake porn sites visited by Android users via a malicious .apk file that appears in the form of an app. The innocent appearance of the app deceives users and is a powerful social engineering tactic used by malware developers to trick people into installing malicious apps. The form of delivery is not the only thing that makes the app suspicious and potentially dangerous, but the access it seeks are highly unusual and alarming. The ransomware requests full network access, permission to run at startup and permission to prevent the phone from sleeping. Once installed the granted access allows the ransomware to take control of the device. The full network access allows the malicious app to communicate over the web and download the ransom message that is shown on the captive device. The permission to run at startup and prevent the phone from sleeping fully lockdown the phone, preventing victims from escaping the ransom message.

The ransomware localizes fake government messages, depending on the users GPS location, accusing them of having viewed and downloaded inappropriate and illegal content. What does the ransomware do next? Demands ransom of course! The ransom to regain access to the device including all of its apps, which it claims are all encrypted, is set at around $300 and is to be paid through untraceable forms of payment such as MoneyPak.

avast! Mobile Security safeguards against ransomware

Both AVAST’s free and premium mobile security apps, avast! Mobile Security and avast! Mobile Premium, protect customers from falling for the devious apps containing ransomware. AVAST detects this ransomware under the name Android: Koler-A and blocks its execution.

We recommend that everyone be cautious when downloading apps, especially from unofficial app markets. We also urge users to not open any files that have been downloaded to their device without their consent. Always check what apps want to access and in addition to being cautious, we advise people download antivirus to protect their devices. This new ransomware appearing on Android is the perfect example of how malware is starting to move away from the PC environment and into our pockets and there are no signs of this slowing down.

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news and product information, please follow us on Facebook, Twitter, Google+ and Instagram. Business owners – check out our business products.